While several industries are heavily regulated, financial services is unique because its compliance landscape consists of various interconnected requirements across multiple agencies. For example, multiple agencies contribute to the Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) requirements, making them one of the most expansive annual audits. A short list of agencies involved in BSA/AML includes:
- Federal Financial Institutions Examination Council (FFIEC)
- Financial Crimes Enforcement Network (FinCEN)
- Office of Foreign Assets Control (OFAC)
Know Your Customer (KYC) programs are fundamental to financial institutions’ BSA/AML compliance programs. Understanding how KYC is done and how to document your activities is critical to achieving your audit goals.
What Is Know Your Customer (KYC)?
Know Your Customer (KYC) is a set of procedures and guidelines that financial institutions use to mitigate financial fraud risks. A financial institution’s KYC program focuses on identifying risks associated with different types of customers and implementing identity verification controls that ensure the organization knows each customer’s true identity.
With a strong KYC program, financial institutions mitigate financial fraud risks, like money laundering and funding terrorism.
For example, the FFIEC’s BSA/AML Manual provides a high-level outline of increasingly risky customer profiles including:
- Nonresident alien offshore investor
- High net worth individuals
- Multiple tiered accounts
- Offshore and shell companies
As the customer’s risk level increases, financial institutions must implement appropriate KYC processes, like:
- Creating a basic customer profile and engaging in generic monitoring
- Creating unique profiles specific to a customer’s chosen products and services
- Collecting a source of wealth or financial statement
- Tailoring the transaction profile and monitoring to the unique risk
The Elements of a KYC Program
KYC is more than just a policy. It’s an integrated program for managing risk across the customer’s or account’s lifecycle.
Customer Identification Program (CIP)
During account opening, financial institutions must verify each customer’s identity. For each new person connected to an account, the institution must collect at least:
- Date of birth
- Government issued identification number, like a tax identification number or social security number
The CIP policy should outline how the institution plans to verify the customer, including:
- Documents collected: unexpired government-issued ID with nationality, residence, and image like a driver’s license or passport
- Non-documentary methods: information from consumer reporting agency, public database, references from other financial institutions, financial statements
Further, during account opening, financial institutions must compare each customer name against various government lists, including the OFAC list of known or suspected terrorists and terrorist organizations.
Customer Due Diligence (CDD)
CDD policies, procedures, and processes enable financial institutions to gauge a customer’s likely transaction activities, enabling it to determine potentially suspicious activities. Formally incorporated into BSA/AML regulation through the 2016 FinCEN CDD Rule, this requirement requires financial institutions to implement policies and procedures that:
- Identify and verify customer identities
- Identify and verify the identities of a company’s beneficial owners
- Develop risk profiles to help understand the nature and purpose of customer relationships
- Engage in ongoing suspicious transaction monitoring and maintain updated customer information
For low-risk customers, CDD requirements align to CIP. However, for customers who pose higher money laundering or terrorist financing risk, financial institutions need to engage in enhanced due diligence (EDD) that includes collecting and reviewing:
- Source of funds and wealth
- Occupation or type of business
- Proximity of residence or job to the financial institution
For business customers, EDD also includes:
- Financial statements
- Location of incorporation and primary place of business
- Proximity of place of business to the financial institution
- Description of primary trade area
- Expected domestic and international transaction and their respective volumes
- Description of business operations inducing total sales, currency, and major customers/suppliers
While CIP only occurs when a customer opens an account, CDD requires financial institutions to monitor the customer relationship over time. This process includes maintaining and updating the customer information in alignment with the risk profile. The customer’s risk profile may change based on various factors, including but not limited to:
- Significant, unexplained account activity changes
- Employment or business operations changes
- Business ownership changes
- Red flags arising from suspicious activity monitoring
- Law enforcement inquiries
- Negative media search results
- Time since the last gathering and review of customer information
What Is Electronic KYC (eKYC)?
Many legitimate customers want to circumvent the time-consuming process of opening an account in a bank branch.
Electronic Know Your Customer (eKYC) solutions use electronic identification (eID) for digital onboarding, enabling financial institutions to complete customer identity verification and due diligence processes remotely. With eID, financial institutions maintain BSA/AML compliance while providing the digital experiences that build stronger customer relationships.
With eKYC technologies, financial institutions can use identity proofing to verify customers’ identity with evidence that can include:
- Personal documents
- User attributes
- National identity systems
Using Digital Identity Services with Biometrics
In September 2022, Jimmy Kirby, FinCEN’s Acting Deputy Director, noted that to get financial services right, the industry needs to get identity right. When discussing a digital identity framework that can protect customers while protecting the U.S. financial system from illicit finance, he explained that digital identity services needed to be:
- Updated frequently
- Consider features related to source verification and interoperability
- Ensure that personally identifiable information (PII) remains secure and private
As financial institutions look for scalable, cost-efficient solutions that help them ensure that people remotely presenting themselves for financial activities are who they claim to be, they should look to solutions that incorporate robust biometrics.
Financial institutions already use biometrics as part of in-person CIP activities. Account representatives compare a person’s driver’s license or passport to the individual sitting in front of them. Biometric technologies give financial institutions a way to complete this process remotely by binding documents, unique physical identifiers, and a person’s device together.
Identity Data Integrity
When financial institutions use an identity proofing technology that incorporates biometrics, they can compare the documentation provided against public and private data sources. By aggregating the unique biometric identifiers and comparing the customer-provided identification documentation with other data sources, the financial institution implements a high confidence “duplicate check” that mitigates risks associated with identity theft and fraud.
Identity-related Suspicious Activity Reports (SARs) often arise from an inability to recognize fraudulent identities at account opening because forged documents can be highly sophisticated. Biometric technologies that include liveness detection leverage an applicant’s live selfie as part of the verification process. By combining images, liveness, and comparison to government lists, these biometric technologies reduce the likelihood that forged documents can trick financial institutions and their staff.
Identity Proofing for eKYC
Financial institutions need to meet customer expectations and compliance requirements. Customers want on-demand, remote account opening. BSA/AML requirements rely primarily on outdated, analog processes. To remain competitive, financial institutions need technologies that enable them to manage compliance without negatively impacting customer relationships.
Biometric technologies that incorporate facial recognition, liveness, and voice authentication services enable this highly regulated industry to adopt modern processes without facing compliance violations.
To learn more about how Aware’s solutions enable identity proofing as part of a mobile onboarding solution, contact us today.